Disallow all extensions in actuator endpoints (except .json)

Along with the recent change in Spring to use content-disposition
"inline" (which prevents the download), it also makes sense to limit
the extensions allowed by the actuator endpoints. Really there *is*
no extension for these endpoints, but since all of them explicitly
produce JSON we can add .json for browsers as a convenience in case
the app would otherwise choose to send XML.

Fixes gh-4402
pull/4446/head
Dave Syer 9 years ago
parent 1204559815
commit 8749fc745b

@ -84,6 +84,7 @@ public class EndpointHandlerMapping extends RequestMappingHandlerMapping {
// By default the static resource handler mapping is LOWEST_PRECEDENCE - 1
// and the RequestMappingHandlerMapping is 0 (we ideally want to be before both)
setOrder(-100);
setUseSuffixPatternMatch(false);
}
@Override
@ -121,7 +122,7 @@ public class EndpointHandlerMapping extends RequestMappingHandlerMapping {
String prefix = StringUtils.hasText(this.prefix) ? this.prefix + path : path;
Set<String> defaultPatterns = mapping.getPatternsCondition().getPatterns();
if (defaultPatterns.isEmpty()) {
return new String[] { prefix };
return new String[] { prefix, prefix + ".json" };
}
List<String> patterns = new ArrayList<String>(defaultPatterns);
for (int i = 0; i < patterns.size(); i++) {
@ -142,7 +143,8 @@ public class EndpointHandlerMapping extends RequestMappingHandlerMapping {
private RequestMappingInfo withNewPatterns(RequestMappingInfo mapping,
String[] patternStrings) {
PatternsRequestCondition patterns = new PatternsRequestCondition(patternStrings);
PatternsRequestCondition patterns = new PatternsRequestCondition(patternStrings,
null, null, useSuffixPatternMatch(), useTrailingSlashMatch(), null);
return new RequestMappingInfo(patterns, mapping.getMethodsCondition(),
mapping.getParamsCondition(), mapping.getHeadersCondition(),
mapping.getConsumesCondition(), mapping.getProducesCondition(),

@ -90,6 +90,22 @@ public class MvcEndpointIntegrationTests {
assertIndentedJsonResponse(SpringDataRestConfiguration.class);
}
@Test
public void fileExtensionNotFound() throws Exception {
this.context = new AnnotationConfigWebApplicationContext();
this.context.register(DefaultConfiguration.class);
MockMvc mockMvc = createMockMvc();
mockMvc.perform(get("/beans.cmd")).andExpect(status().isNotFound());
}
@Test
public void jsonExtensionProvided() throws Exception {
this.context = new AnnotationConfigWebApplicationContext();
this.context.register(DefaultConfiguration.class);
MockMvc mockMvc = createMockMvc();
mockMvc.perform(get("/beans.json")).andExpect(status().isOk());
}
@Test
public void nonSensitiveEndpointsAreNotSecureByDefault() throws Exception {
this.context = new AnnotationConfigWebApplicationContext();

Loading…
Cancel
Save